[getdns-api] some early API comments
Joe Hildebrand jhildebr
jhildebr
Tue Jan 22 19:20:43 CET 2013
On 1/22/13 11:13 AM, "Phil Pennock" <getdns-api-phil at spodhuis.org> wrote:
>If all the DNSSEC logic is encapsulated inside a dedicated resolver,
>then you just need to replace the resolver.
>
>If all the DNSSEC logic is also embedded into every application that
>uses DNS, you need to replace every application that uses DNSSEC;
>hopefully it's just a library update, but it still is going to cause
>dependency issues, change management issues, etc etc.
As an application developer, I can never get the resolver replaced. Ever.
I can't control what other applications do, nor do I care. I *can*
update my applications at will, and for some of those applications force
people to take upgrades before accessing a service I care about.
>For most of my career, I've been a professional sysadmin/SRE. As
>someone responsible for the lifecycle of an entire system, I'd *far*
>rather see the complexity and security-impacting decisions of something
>exposed to data from the outside world via UDP constrained to one
>service, running as a uid with no access rights to sensitive data, and
>then talk to that service via a separate link, whether it's a generic
>RPC mechanism or regular DNS, perhaps with TSIG for certainty if it's
>not on localhost.
Multiple layers of security are fine.
--
Joe Hildebrand
More information about the spec
mailing list